Free Malware Removal Forum

Welcome to MalwareRemoval.com,What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

My internet Explorer is defaulting to the webpage "Guarduptodate.com" specifying that my internet security is compromised and I am exposed to hackers & breakdowns. It further goes on to list Malware Wipe and Pest Trap as suitable software products to fix the problem. I also am getting a pop up Microsoft Explorer Warning that "W32.MYZOR.FK@YF" is a virus affecting .exe extensions.

Currently Internet Explorer is slow and unreliable in directing to webpages, with continual closures.

I have already tried to fix the problem looking at a number of past problems and solutions in using Ewido, Avast, Smitfraud with no success.

Delete all instances of SmitfraudFix or Smitrem, we will use the latest version since it's updated almost daily. There is a new variant of SpyFalcon running in the wild and I think you might be affected by it.

Other than that, you have a trojan on your PC and Messenger Plus 3 comes bundled with LOP (known to change your homepage). I recommend the uninstall of Messenger Plus 3

I would like to see a startuplist as a start too please. The fact that you are unable to remove the infection may be related to different issues. Please follow the instructions below and post the requested logs. Registry may be disabled or we might find ourselves confronted to a rootkit.

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Before we start to fix your computer, I would like you to move HijackThis to it's own folder. Do not attempt to fix anything before you moved HijackThis.
Create a folder for Hijackthis on the C: drive called C:\HJT. You can do this by going to My Computer then double click on C: then right click and select New then Folder and name it HJT.
Locate HijackThis.exe and right click on it, select cut, right click in the folder you just did create and select paste.
______________________________

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zipExtract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.
______________________________

Run HijackThis, click on None of the above, just start the program, click on Scan. Put a check in the box on the left side of the following items if still present:

O20 - Winlogon Notify: winjyp32 - winjyp32.dll (file missing)

Close ALL windows and browsers except HijackThis and click Fix Checked______________________________

Using Windows Explorer, Search and Delete these Files if listed:

C:\WINDOWS\system32\winjyp32.dll

If you get an error when deleting a file, right click on the file and check to see if the read only attribute is checked. If it is uncheck it and try again.

Using Windows Explorer, Navigate to C:\Windows\TempClick Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Note : You will probably find a lot of files, random names like in the sample below - all are *.tmp or *.tmp.exe - make sure you get them all or you will get reinfected by the trojan! Let me know if you are unable to delete them.

C:\WINDOWS\Temp\win53D.tmpC:\WINDOWS\Temp\win53F.tmp.exe

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\TempClick Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.______________________________

Open the SmitfraudFix folder and double-click smitfraudfix.cmdSelect option #1 - Search by typing 1 and press EnterThis program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!______________________________

Reboot in normal Mode

Open the C:\WinPFind folder and double-click on WinPFind.exe.Click on Configure Scan Options.Remove all the checkmarks under Folder Options on the left side by clicking the button Remove All, uncheck Run Addon's and click Apply.Click on the Start Scan button and wait for it to finish.

Please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log file named C:\WinPFind\WinPFind.txt. Please copy that log into your next reply.______________________________

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then start to download the latest definition files.

Once the scanner is installed and the definitions downloaded, click Next.

Now click on Scan Settings

In the scan settings make that the following are selected:

Scan using the following Anti-Virus database:

Extended (If available otherwise Standard)

Scan Options:

Scan Archives

Scan Mail Bases

Click OK

Now under select a target to scan select My Computer

The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.

Copy and paste that information in your next post.

______________________________

Run HijackThis, click on Open the Misc Tools Section, put a checkmark in List also minor sections and List empty sections. Click on Generate StartupList log, anwser Yes and copy/paste the content in your reply.Click Back and Click on Scan. When the scan is finished, click Save Log and paste the content in your reply.______________________________

Create a folder for Findlop on the C: drive called C:\lop. You can do this by going to My Computer then double click on C: then right click and select New then Folder and name it lop. Extract all the files from the zip archive into that folder.

Open the lop folder and doubleclick findlop.bat and it will create the file C:\findlop.txtCopy the content into your next post.______________________________

Please post:

c:\rapport.txt

Winpfind log

Results of the Kaspersky Scan

A new HijackThis log and the startuplist

C:\findlop.txt

Your may need several replies to post the requested logs, otherwise they might get cut off.

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

LOP is not active, I suppose you did install Messenger Plus 3 without the sponsors. You may keep it if you want otherwise go to Add / Remove programs and remove it from there.

Spyfalcon

@="C:\WINDOWS\system32\reglogs.dll"

You have indeed the very latest version of Spyfalcon. This file is responsable for the infection and it has been added yesterday to SmitfraudFix. Let's clean it up for good. ______________________________

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

You will need to update Ewido to the latest definition files.

On the left-hand side of the main screen click the Update Button.

Click on Start.

The update will start and a progress bar will show the updates being installed.Once finished updating, close Ewido.

If you are having problems with the updater, you can use this link to manually update ewido. Ewido manual updates. Make sure to close Ewido before installing the update.______________________________

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.

Close ALL windows and browsers except HijackThis and click Fix Checked______________________________

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool. Select option #2 - Clean by typing 2 and press Enter.Wait for the tool to complete and disk cleanup to finish.You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.______________________________

Using Windows Explorer, Navigate to C:\Windows\PrefetchClick Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Windows\TempClick Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\TempClick Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer, all browsers and quit any instances of Windows Explorer.

For Internet Explorer 4.x and Up

Click Start, click Control Panel, and then double-click Internet Options.

On the General tab, click Delete Files under Temporary Internet Files.

In the Delete Files dialog box, tick the Delete all offline content check box, and then click OK.

On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.

Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.

Click OK.

For Netscape 4.x and Up

Click Edit from the Netscape menubar.

Click Preferences... from the Edit menu.

Expand the Advanced menu by clicking the triangle sign.

Click Cache.

Click both the Clear Memory Cache and the Clear Disk Cache buttons.

For Mozilla 1.x and Up

Click Edit from the Mozilla menubar.

Click Preferences... from the Edit menu.

Expand the Advanced menu by clicking the plus sign.

Click Cache.

Click the Clear Cache button.

For Opera

Click File from the Opera menubar.

Click Preferences... from the File menu.

Click the History and Cache menu.

Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.

Click Ok to close the Preferences menu.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.______________________________

Close ALL open Windows / Programs / Folders. Please start Ewido, and run a full scan.

Click on Scanner

Click on Settings

Under How to scan all boxes should be checked

Under Unwanted Software all boxes should be checked

Under What to scan select Scan every file

Click on Ok

Click on Complete System Scan to start the scan process.

Let the program scan the machine.

If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections and put a checkmark in the box next to Create encrypted backup, then choose clean and click Ok.

Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.______________________________

Please post:

c:\rapport.txt

Ewido log

A new HijackThis log

Your may need several replies to post the requested logs, otherwise they might get cut off.

I have thankfully followed your steps. It appears all virus traces have been fixed. Are you please able to verify. Also all seems to be working well so far, and the homepage defaults to it's correct web page.

I have indeed deleted the older version of Messenger 3 (using a newer version), and have upgraded to Mozilla Firefox verion 1.0.7.

Would you recommend that we minimise use of Windows explorer browser (in preference of Firefox to reduce Malware and compromised insecurities).

Also I have been using 1) McAfee Virus Scan V4.5.1 SP1
2) ZoneAlarm vers 6.1.737.000

It appears all virus traces have been fixed. Are you please able to verify. Also all seems to be working well so far, and the homepage defaults to it's correct web page.

Everything looks fine to me. I'm pleased to hear that you have your webpage back and that the PC is running fine again.

I have indeed deleted the older version of Messenger 3 (using a newer version)

As far as I know, Messenger has always been bundled with LOP but it seems that you did install it without the sponsor stuff since I don't see any scheduled tasks or strange applications which are responsable for homepage redirects.

Would you recommend that we minimise use of Windows explorer browser (in preference of Firefox to reduce Malware and compromised insecurities).

One can use Internet Explorer without being compromised by malware, it's a matter of settings and surf attitude. Firefox might reduce the risk but you have to be aware that Mozilla browsers have some security failures and bugs too. Imo, nothing is completly perfect but the use of Firefox might contribute to a safer surfing.Keeping the PC up to date by installing all the security updates, keeping your programs up to date are also very important steps to minimize the risks.

Also I have been using 1) McAfee Virus Scan V4.5.1 SP1 2) ZoneAlarm vers 6.1.737.000

Spybot is good to perform a scan from time to time. It cleans up the registry too. I don't know Spyware Doctor myself but I heard that it was a very decent and good product for real-time protection. Sometimes a bit heavy in CPU usage according to a friend of mine. You already have Avast installed, thus I would keep it if I were you. Ewido is a very fine product, and particularly good at catching trojans. If you find it useful you might want to consider buying the full program. When the trial period ends, the real-time protection and the automatic update feature will stop working. You still will be able to update the program manually and scan your computer regulary. SmitFraudFix is just a tool to clean up a particular infection. It cannot be used as a scanner or a protection. It must be used with care and only on advice of qualified helpers. You may delete it's folder since it has done his job perfectly.

We've still got a few details to fix. Please reset System Restore to remove eventual backups of the spyware and trojans.

Turn off System Restore

Click Start, right-click My Computer, and then click Properties.

Click the System Restore tab.

Select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.

Click Yes when you receive the prompt to the turn off System Restore.

Reboot your computer.

Turn System Restore back on

Click Start, right-click My Computer, and then click Properties.

Click the System Restore tab.

Clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.

A new restore point will be created automatically.______________________________

Hide your system files again.

Click Start.

Click My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading uncheck Show hidden files and folders.

Check the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

______________________________

******PLEASE READ******

It is very rewarding to see that your computer is clean. May I urge you to stand up and be counted! Document your experience, and by doing so, launch a complaint against the makers of malware. You can make a difference. Click on the Malware Complaints link in my signature and support our cause. Thank you.______________________________

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Windows, Internet Explorer and Microsoft Office Updates

Visit Microsoft's Windows Update Site frequently. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

If you are running Microsoft Office, or any application of it, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed.

If you have trouble with Windows Update, you still can get all the Critical Updates, Security Fixes and Service Packs. Below are a few links to bookmark.

The most current version of Sun Java is: Java Runtime Environment Version 5.0 Update 6

To check if you have the latest version installed and get the needed updates, please go to the link below:http://www.java.com/en/download/windows_automatic.jspYou'll need to use IE and allow ActiveX for this update. Follow the instructions on that page to check your Java Software.

Check in your Control Panel, under Add/Remove programs and uninstall ALL older versions of Sun Java. And in the future, remember to remove older versions of Java when you automatically update to a newer version to avoid exploitation of older versions left on your system.

SpywareBlasterSpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.You can download SpywareBlaster hereA tutorial can be found here

SpywareGuardIt provides a degree of real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method. An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware. And you can easily have an anti-virus program running alongside SpywareGuard. It also features Download Protection and Browser Hijacking Protection.You can download SpywareGuard hereA tutorial can be found here

IE-SPYADIE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. It basically prevents any downloads, cookies, scripts from the sites listed, although you will still be able to connect to the sites.You can download IE-SPYAD hereA tutorial can be found here

Hosts FileA Hosts file replaces your current HOSTS file with one containing well known ad, spyware sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.A tutorial tutorial can be found here

MVPS Hosts FileYou can download the MVPS Hosts File hereFurthermore the website contains useful tips and links to other resources and utilities.

Bluetack's Hosts File and Hosts ManagerEssentially based on the research made by Webhelper, Andrew Clover and Eric L. Howes, it contains most if not all the known spyware sites, sites responsible for hijacks, rogue apllications etc...Download Bluetack's Hosts file hereDownload Bluetack's Hosts Manager here

Install Spyware Detection and Removal Programs

Ad-AwareIt scans for known spyware on your computer. These scans should be run at least once every two weeks.You can download Ad-Aware hereA tutorial can be found here

Spybot - Search & DestroyIt scans for spyware and other malicious programs. Spybot has preventitive tools that stop programs from even installing on your computer. You can download Spybot - S&D hereA tutorial can be found here

Before adding any other Spyware Detection and Removal programs always check the Rogue Anti-Spyware List for programs known to be misleading, mistaken, or just outright "Foistware". You will find the list here

Ewido Security Suite

Realtime protection against these threats:

Hijackers and SpywareSecure surfing in the Internet without fear of annoying changes of the start page of your browser, tracking cookies and advertising bars.

WormsNobody should receive e-mails in your name with malicious files in the appendix anymore.

DialersSecurity against all kinds of dialers. No fear when receiving the next phone bill.

Most of you will have already the trial version of this software, which is an excellent program and particularly good at catching trojans. If you find it useful you might want to consider buying the full program. When the trial period ends, the real-time protection and the automatic update feature will stop working. You still will be able to update the program manually.You can download Ewido Security Suite hereEwido manual updates. Make sure to close Ewido before installing the update.

WinPatrol

WinPatrol uses a heuristic approach to detecting attacks and violations of your computing environment. Traditional security programs scan your hard drive searching for previously identified threats. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. You'll be removing dangerous new programs while others download new reference files.

Detect & Neutralize Spyware.

Detect & Neutralize ADware.

Detect & Neutralize Viral infections.

Detect & Neutralize Unwanted IE Add-Ons.

Detect & Restore File Type Changes.

Automatically Filter Unwanted Cookies.

Avoid Start Page Hijacking.

Detect changes to HOSTS & critical system files.

Kill Multiple Tasks that replicate each other, in a single step!

Stop programs that repeatedly add themselves to your Startup List!

Starting with WinPatrol 9.5 PLUS users also get the addition of Real-time Infiltration Detection so they'll know immediately when changes are made to critical system areas. WinPatrol Free is not demo or trial software. You're welcome to use it as long as you like.You can download WinPatrol hereWinPatrol FAQ

SiteHound by Firetrust

Firetrust introduces the SiteHound Toolbar - the safe way to browse the Internet. With SiteHound, when you browse the Internet, you're shown a warning page every time you go to a site which is a known scam, potentially loads viruses or spyware on to your computer, has questionable content or anything you would not consider reasonable. You are shown a warning page with information about that site. From there you can choose to enter the site or go back. SiteHound is a free add-on to Internet Explorer. (Users of Firefox - a version for you is coming soon.) SiteHound's comprehensive database gathers the knowledge from other users and respected experts from the online security community to tell you which sites are real and which are bogus.

SiteHound will alert you when you enter a site which is known to contain:

It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See the link below for a listing of some online & their stand-alone antivirus programs.
Computer Safety On line - Anti-Virus
http://www.malwareremoval.com/forum/viewtopic.php?p=53#53

Update your Anti Virus Software

It is imperative that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall

I can not stress enough how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below.
Computer Safety On line - Software Firewalls
http://www.malwareremoval.com/forum/viewtopic.php?p=56#56A tutorial on Understanding and Using Firewalls can be found here

Additional Information

For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link.

Finally, after following up on all these recommendations, why not run Jason Levine's Browser Security Tests ?
They will provide you with an insight on how vulnerable you might still be to a number of common exploits.
http://www.jasons-toolbox.com/BrowserSecurity/

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints, you do not have to be registered to post.. just find your country room and register your complaint.

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted

Who is online

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.